Hi and thanks for your replay,
Please find below for the expained scenario:
We have all Trust users goes internet via ISP1(pp0.0) except one ip (10.78.1.250) must go via ISP2 (ge-0/0/1 connected to ADSL modem).
This done successfully using Filter Base forwarding as below- using forwarding instance-type.
set interfaces ge-0/0/2 unit 0 family inet filter input webFilter (ge-0/0/2=10.78.1.1=Trust)
set firewall family inet filter webFilter term 1 from source-address 10.78.1.250/32
set firewall family inet filter webFilter term 1 then routing-instance webtraffic
set firewall family inet filter webFilter term 2 then accept
set routing-instances webtraffic instance-type forwarding
set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 131.1.1.200 (adsl modem)
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options interface-routes rib-group inet FBF-rib
set routing-options rib-groups FBF-rib import-rib inet.0
set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0
set security nat source rule-set FB from zone Trust
set security nat source rule-set FB to zone ISP2
set security nat source rule-set FB rule R1 match source-address 10.78.1.250/32
set security nat source rule-set FB rule R1 match destination-address 0.0.0.0/0
set security nat source rule-set FB rule R1 then source-nat interface
The same ip (10.78.1.250) configured with static nat to allow traffic to it from ISP2.
Traffic comes to ADSL modem-->nat to SRX Ge-0/0/1(ISP2 zone). Static nat is configured from ISP2 zone then destination IP of Ge-0/0/1-(131.1.1.201) to internal prefix ip (10.78.1.250).
What needs to be modified to make the static nat works fine as below doesn’t work-(Needed Security policies configured too omitted)
set security nat static rule-set FB1 from zone ISP2
set security nat static rule-set FB1 rule ru1 match destination-address 131.1.1.201/32 (srx-ge-0/0/1port)
set security nat static rule-set FB1 rule ru1 match destination-port 134
set security nat static rule-set FB1 rule ru1 then static-nat prefix 10.78.1.250/32
set security nat static rule-set FB1 rule ru1 then static-nat prefix mapped-port 134
I tried also to configure the routing instance type as virtual router, also do the static nat from instance route instead of ISP2 zone but not worthy.
Can the instance-type configured as virtual-router and add to it the ISP2 port (ge-0/0/1) and static nat?? Without adding the Trust interface (ge-0/0/2)????
Thanks and Regard,